Sarah Edwards has written an amazing blog post at mac4n6, which will help you to mount APFS and 4k disk images on macOS 10.13, both RAW and EWF, using xmount. If you are dealing with macOS forensics, this is a must read!
Cindy Murphy from Gillware has published a very interesting post on how to reset the backup password in iOS 11. Here is an excerpt from it: “Appleâs help page about encrypted backups got an update when iOS 11 came out. They give the following advice for people who have forgotten their backup password: You canât restore an encrypted backup without its password. With iOS …
SANS Institute has presented a short tutorial with Lenny Zeltser on how to intercept IP connections in a malware analysis lab:
Jason Hale has published an interesting post on how to use the amcache to track USB devices. You can find device serial numbers, descriptions (e.g. FriendlyName-like values), volume names, VID/PID data, and more.
Mari DeGrazia has published a very useful post, which will help you to learn how to find and decode malicious PowerShell scripts. You will learn, which events to check, how to detect PowerShell and decode scripts. According to Mari, it’s only the first part, she will keep writing and teach us how to detect malicious PowerShell scripts in registry (part 2) …
SUMURI presented a free step by step Mac forensics guide. You will learn how to obtain system date and time, image a data source, mount acquired image, use indexing for keyword searches and report on your findings. The guide consists of 25 steps and can be downloaded here.
Heather Mahalik, the author of Practical Mobile Forensics and SANS FOR585, has written a post about forensicating iOS 11 iMessages and SMS. The first thing to be noted, common mobile forensic tools not parsing these messages correctly, at least sometimes, especially timestamps, so the best way is to parse the sms.db contents manually. The thing is – you can see …
In this post Lionel Faleiro shows how to use Powerforensics, a PowerShell framework created for hard drive forensic analysis by Jared Atkinson, for Windows LNK forensic analysis.
Here is a guide on how to remotely dump Linux RAM with LiMEaide – a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your forensic workstation. The process includes six steps: Make a remote connection with specified client over SSH Transfer necessary build files to the remote machine Build the …
Phill Moore has written a nice post in his new blog – ThinkDFIR. This post will help you to understand what orphaned files are (of course if you still don’t know).
Login
